Security of EHR, etc

Security is always a topic worth discussing… Patient Portals are a big issue and we need to discuss models that are NOT browse directly into the data models …

This extract from: Compromise Assessments & Penetration Testing in Healthcare | Healthcare IT Today

True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident. Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing)._

We need to move forward with API (like FHIR) based solutions for access to patient data via apps, not portals.



The vulnerability of OpenEMR made the press today. I have no idea if LibreHealth shares the same

Yeah, that is a file you supposed to remove after setup.

Wouldn’t call this really “The Press” though…it’s someone’s mostly contextually irrelevant blog post. Where and how they would possibly come up with a “90 million patients” number clues me into the fact that it is not exactly a…a peer-reviewable paper…

Plus the “fix” is to simply delete the setup.php file after the setup is completed, as instructed.

We have a more elegant solution in the works, but it’s not a real vulnerability, its a security service using OpenEMR to advertise himself since he can’t do this kind of work on a proprietary product. The community typically benefits from this kind of transparency.

Removed the setup.php file.